Skip to content

Document management: Examination & certification PK-DML

Hände tippen auf einer Laptop-Tastatur, umgeben von schwebenden digitalen Ordner- und Dokumentensymbolen.

Use PK-DML for audit-proof archiving of your electronic documents

Users of document management solutions (DML) are subject to legal requirements for the audit-proof storage of documents. Typical core requirements are unalterable archiving, traceability of process flows and long-term formats. These are often accompanied by questions: Can the paper originals be destroyed after archiving? Does the archiving process run properly and on time? Can an archived document still be reproduced true to the original after 10 years?

TÜV NORD carries out technical and organisational tests and certifications tailored to the respective context in order to answer these and other questions about the revision security of your document management system.

Partial solutions - such as scanning processes or archiving systems - can also be certified, provided the interfaces and functional delimitations are clearly documented.

What are PK-DML?

The test criteria for document management solutions (PK-DML) were developed jointly by the VOI (Association of Organisation and Information Systems) and TÜV NORD. They cover all legal and non-legal requirements for a document management solution.

The focus of the PK-DML is on the legally compliant and audit-proof handling of digital documents of all kinds. They consider whether a DML fulfils the following criteria:

  • Regularity
  • completeness
  • Immutability
  • Availability and
  • traceability

If necessary, further regulations, guidelines and standards supplement the test basis.

The current, revised 5th edition of the PK-DML from 2019 can be ordered via the VOI website.

Target group for document management certification

Certification in accordance with PK-DML is particularly suitable for:

  • Companies with a high volume of documents or legal retention obligations (e.g. administration, healthcare, industry) as well as companies that want to document their processes in a legally compliant, transparent and traceable manner
  • DMS software providers who want to build trust and differentiate themselves on the market

The advantages of certification at a glance

  • Increased evidential value of your electronic documents: A tested and certified document management solution (DML) increases the evidential value of your archived documents.
  • Fulfilment of legal requirements: You comply with the legal requirements for capturing, processing & archiving documents.
  • Improved document management: A PK-DML audit reveals potential for optimising the document management solution used.
  • Audit-proof documents: You prove that your electronic documents are stored securely and can no longer be changed.

Our services for you

Workshop

In preparation for the PK-DML audit & certification, we offer a workshop. In this workshop, we present the test requirements to you and carry out an initial assessment of your DML.

Project support & analysis

We would be happy to support you in the audit-proof implementation of your document management system and identify possible optimisation potential for you

Evaluation of existing documentation

Our experts check whether your documentation and/or procedures meet the required test criteria for document management solutions.

Certification

As part of the certification process, we check whether your document management solution fulfils the test requirements. If the TÜV NORD certification body gives you a positive assessment, you will receive the desired certificate from us.

Your path to certified document management

1

Workshop

Presentation of the test requirements and initial assessment of the DML / pre-assessment

2

Document review

Review & evaluation of the procedural documentation in relation to the selected set of criteria

3

On-site audit

Verification of compliance between the documentation & the DML in operation

4

Certification

Evaluation of the test report with regard to the implementation of the test requirements. If the assessment is positive: issue of the certificate.

PK-DML: Frequently Asked Questions

A document management system (DMS) is specialised software that can be used to capture, manage, store, retrieve and archive digital documents in a structured and audit-proof manner. Modern DMS solutions integrate seamlessly into existing business processes and support companies in their digital transformation.

For successful PK-DML certification, DMS software should offer the following functions:

  • Immutable archiving
  • Versioning and logging of changes
  • User and rights management
  • Automated workflows
  • Compliance with retention periods
  • Export to long-term formats (e.g. PDF/A)

These functions are a prerequisite for fulfilling criteria such as traceability, regularity and availability in accordance with PK-DML.

It consists of

  • document review
  • On-site implementation review lasting several days
  • reporting

and certification.

Time required:

  • Approx. 6 months from project start to certification
  • Depending on the complexity of the solution and the number of locations to be tested

The basis of every PK-DML certification is the process documentation, which must clearly demonstrate how the IT solution fulfils the applicable test criteria.The documentation can also refer to other documents that contain more detailed information, such as security concepts, process descriptions or work instructions.

A complete document review is carried out for initial and recertification. The implementation of the measures described in the documentation is checked in an on-site audit lasting several days.

A full document review is not carried out as part of the surveillance, but approx. 50% of the requirements of the PK-DML are reviewed on site. The focus is on changes since the last audit.

The GoBD (principles of proper accounting and storage of digital documents) form a central legal basis for electronic archiving in Germany. A PK-DML audit takes into account whether your DMS fulfils the requirements of the GoBD - e.g. through audit-proof storage, logging and complete procedural documentation.

The scope of the audit and certification is defined in consultation with the customer; for example, sub-processes or all relevant workflows along the document lifecycle can be considered, e.g:

  • Receipt and capture of documents
  • Classification and indexing
  • Approval and release processes
  • Archiving and access
  • Deletion after expiry of deadlines

It is assessed whether these processes are documented, technically secured and implemented in an audit-proof manner.

The certificate is issued by the certification body of TÜV NORD CERT GmbH.

The certificate is valid for 3 years. Initial certification takes place as part of an initial audit in year 1 and 1 surveillance audit in each of years 2 and 3, in which changes to the initial documentation are checked.

The document review contains a maximum of 2 passes, whereby the 2nd document version must be verifiable and certifiable. The on-site audit contains a maximum of one auditable and certifiable run.

The certification can be used for all digital document management processes and the associated IT solutions.

Partial solutions can also be certified, e.g. only the scanning process, the management and processing of files and documents or an archive.

In the case of partial solutions, the interfaces and functional delimitations must be clearly described in the process documentation.

If your DMS solution and the capture process meet the requirements for proper, complete and traceable digitisation in accordance with PK-DML and GoBD, paper documents can generally be destroyed after scanning. This is also known as "replacement scanning" (BSI TR-03138 Replacement scanning (RESISCAN)). An inspection by TÜV NORD gives you legal certainty here.

Why we are a strong partner for you

  • Independence
    Our employees are not subject to any conflicts of interest, as they are not beholden to any product providers, system integrators, shareholders, interest groups or government agencies.
  • Expertise
    With us, you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS audits and penetration tests.
  • International network of experts
    Around the globe: We support you both nationally and internationally. Our global network of experts is at your side for all IT security issues.
  • Industry experience
    Thanks to our many years of experience in a wide range of sectors, we can serve companies from a wide range of industries.
  • Tailored to you
    We focus on customised services - and solutions - that are ideally suited to your current business situation and the goals you have set yourself.

Sie haben Fragen? Wir helfen gerne!

You may also be interested in

Person in Sicherheitskleidung steuert eine Drohne am Wasser, mit einem Strommast im Hintergrund.

IT baseline protection

With ISO 27001 certification based on IT baseline protection, companies and authorities can prove that their level of information security fulfils the requirements of the BSI and is holistically aligned.
Learn more
Gruppe von Personen arbeitet in einem modernen Büro mit Computern und Bildschirmen.

ISO 27001

With an ISO 27001-certified information security management system (ISMS), you can guarantee the availability, confidentiality and integrity of operational information, data and processes
Learn more
Person beugt sich über ein Waschbecken und schöpft Wasser aus einem Wasserhahn.

Critical infrastructures (KRITIS)

Every two years, KRITIS operators must prove that their IT security is state of the art in accordance with Section 8a of the BSI Act. We offer companies various services for providing evidence.
Learn more
Person in Sicherheitskleidung steuert eine Drohne am Wasser, mit einem Strommast im Hintergrund.

Digital health applications

In order for your digital health application to become a health insurance benefit, you must prove that it fulfils certain data protection and data security requirements. TÜVIT supports you in providing proof.
Learn more
Person in Sicherheitskleidung steuert eine Drohne am Wasser, mit einem Strommast im Hintergrund.

Certified video consultation

If video service providers wish to offer their services officially, they must prove that they fulfil the requirements for confidentiality, integrity and availability of personal data as well as information security.
Learn more